Hi, I came across Hexnode’s document on architecting log aggregation using syslog-ng. The idea of centralizing logs through a structured pipeline instead of collecting them in a fragmented way makes sense. https://www.hexnode.com/mobile-device-management/help/architecting-log-aggregation-via-syslog-ng/
Has anyone here actually implemented something similar? I’m especially curious about how it behaves when you scale it across multiple sites.
40 Views
We built something very similar in our environment last year. syslog-ng sits in the middle as the ingestion layer, and everything flows through it before reaching our SIEM. What worked well for us is not sending raw logs directly to the SIEM. Instead, we use syslog-ng to do light filtering and formatting. That alone reduced noise significantly and made analysis easier.
We use syslog-ng disk buffering and reliable mode, and that has saved us multiple times during outages. Without it, incident investigation would have been incomplete. One thing I learned the hard way is that buffering is not optional. When links go down, you either have a buffer or you lose logs.
Yeah, agreed. It’s really good at transport and basic filtering, but if you try to turn it into something that does heavy processing or analytics, it starts getting messy pretty quickly.
Another thing we noticed is flexibility. Once syslog-ng is in place, it becomes easy to fan out logs to multiple destinations without touching the source systems again.
Makes sense. That’s actually helpful to hear, especially around keeping it simple and not overloading it.
Don't have an account? Sign up
